Ivar @ eRay, Manc, 17/1/2K5

How to set up a mail server on a GNU / Linux system.

Step by step guide, to install Postfix on a Mandrake server.

This an easy step by step guide for computer literates, but not quite gurus.
Initial steps will be to get a server up, before (over) extending it.
And then starting to tighten it down for security and convenience purposes.

You should follow each step, to get an understanding so that you could tweak
it to your needs.

All software used are Open Source and free (as in beer). Most are GPLed.

Feel free to link to this from any related websites. Please reference back
any work based on this Howto.

Written by Ivar Abrahamsen
of electric ray. Initial draft
of this Howto started on the 22nd Februay 2004. Last modification
was on 17th January 2005. Ivar is norwegian software engineer based in England.

Here is brief rundown of the software packages I use in this set up.
Links and discussion on alternative software can be found in Appendix A.

OS: Mandrake Linux

The OS this tutorial is run on is a Mandrake Linux distribution. This is
my chosen distribution, however with minor tweaking the guide should be
compatible with other distribution, I just dont have access to a system
with them on.

This was originally written based upon Mandrake 9.1, then update for 9.2
and now is based Mandrake 10 Official.

Any further future releases should be compatible with this tutorial with
a few tweaks.

MTA: Postfix

Sendmail is the most famous MTA, email server, for *nix flavours.
However it is a monster, which is where Postfix come in.
It is designed as a capable but easier to use MTA.

Database: MySQL

A database is not essential for a mail server of this kind,
but it does make it easier to maintaina and scale.

Pop/Imap: Courier IMAP

A stable Imap/Pop server that is often used with Postfix.
Handles SSL as well and is easy to configure.

WebMail: SquirrelMail

Also a well supported application that is easy to configure.
PHP based and sits in your web directory.

SMTP Authentication: Pop-Before-SMTP

If you need outsiders to send email via your server, you need to authenticate them some how.
Pop-Before-SMTP is an easy way to do this, an requires no user configuration.

Content Check Interface: Amavisda-new

Amavisd-new a fork off Amavisd is an interface with several easy plug ins for content checking.
Well supported, extensive configuration options.

AntiSpam: SpamAssassin

A well know spam detector. Often achieves 99% detection.
Uses several techiniques: Signatures, blacklists and now Bayesian filters.

Fetch the source/binary of the S/W we are going to use.
Mandrake comes with several of the S/W used as RPMs,
the others must be fetched from the links in Appendix A.

I recommened always get the latest stable versions and keep yourselves
up to date. However this tutorial may not be fully compatible with future
versions, so maybe use the ones mentione here then upgrade after you got
it working.

If your distribution , does not come with a pre built Postfix, or in the
case of Mandrake 9.x the prebuilt RPM does not include MySQL support,
then you need to uninstall, rebuild the RPM and reinstall the rebuilt RPM.
( Appendix A has a link to a Mandrake 9.1 Postfix
RPM with MySQL support. )

Basic server

Initial steps is to get a server up and running.
For that we will install only Postfix, MySQL and Courier.
Ive included the database, but you can have an even more basic server without it.
I have included it as my further steps depend on it.

Install the Postfix RPM with MySQL support.
If you are using Mandrake 10, you need to Postfix RPM and the Postfix-MySQL RPM( and their dependancies).
This will do a lot of the neccessary step for you.
It should create the user and groups required.
It will create the init script for you and create the folder /etc/postfix
where all the configuration files will be kept.

Make sure the rpm has created the correct users and groups.
Postfix use a postfix user and a postdrop group.

You need to create the folder where the mails will be spooled to.
This in my setup is /var/mail/virtual.
And an owner to own the emails and the directory.
Create this directory and change owner to virtual:

You may need to edit the aliases file, and towards the bottom replace a
user (yours>?) with the dummy one user , so that all email to root
goes to you. This may already have been set for you so this step may not
be neccessary. But do it anyway and then create a hash of it with this command:

postalias aliases

Create backup copies of the main.cf and master.cf,
and keep doing so throughout this tutorial for safety sake.

Postfix have a great security feature of running everything in chroot.
This restricts all files that anyone can access through it to within /etc/postfix
only.

However this is restrictive when you need to access other parts, and we
may need to initially disable this options. Remember this step: First change
nothing, only view your master.cf and notice what state each section
onder chroot column is set to. If virtual is set to y,
change this to n.

If some stages dont work, it often is the chroot step that is restricting
it. You may often finding yourself turning the whole chroot column
to n to test if it is the problem, then setting them back to y, where applicable.

(
It is important you change these back to y later, once
you can test if they are the source of problems or not. Otherwise you wont
be utilising the chroot jail facility of Postfix.)

Set up a clean and basic main.cf. Mdk 10, comes with a basic main.cf
that you can base your upon. These are example settings:Review

Next add you ISPs smtp server or whichever SMTP server you normally use
for sending emails through. You can once you have firewalls, dns and all
settings tested leave this as blank, so that your server acts as the relayhost
on its own. You are then in more control of the queues, although I feel
more secure relaying through my ISPs smtp server.

relayhost=smtp.yourisp.tld

Add the name of you server.
Postfix is clever and may work it out anyway,
but it is better to specify it.
Postfix will workout domain name from it.

myhostname=server.domain.tld

Next we need to tell Postfix we wont be using local users, but instead
a database based virtual users.

Obviusly, change the fields where applicable.
If your mail database (dbname)/
MySQL username (user)/
MySQL password (password) or
database server (hosts)
is not correct change it it to your setup.
However if you keep to my setup exactly only
the password field needs adjusting.

If you mess up and lock yourselves out of MySQL, dont panic.
There are several ways to recreate your users,
look up in Google for ways to start MySQL without grant tables.
Or if you dont have any data in other databases, reinstall it!

id is the email field, a complete address which is the ids people use.
crypt is the password field, encrypted with Unix Crypt(), and not MySQL's version.
Its default password is ChangeMe. Obviously change these later.
home is the path to where the folders are kept,
and maildir is the directory where this users mail are kept.
Multiple rows with same maildir will share emails.
If maildir ends on a /, then Postfix will use the
maildir mail spooling option and not the mail file spooling.
I think Courier require maildir format.
Ignore the other fields for now.

Data

Not many systems are any good without any data in them.
You need to comply to some RFC by adding abuse and postmaster
as valid email addresses. Also a root user is a good idea.
In MySQL insert these statements

Now next time you want the mail server to receive mail
from a domain, just insert it into this table.
Apperently you need to have local: for at the real domain
name of the server. However I can not verify this.

Instead of creating loads of records in the users table,
you could implement Aliases. This means you can forward loads
of accounts to one address.
Handy if you have multiple of domains.
It also makes it easier to manage the users table,
and controlling who can access and who receives what.

Emails are today an important tool of communication.
And loosing emails can be very annoying and
with significant implications sometimes.
So when your server goes down (which mine does every night!),
you dont want to loose any emails.
Luckily by default most email servers will keep trying to send
to your server for ~ 5 days. But you can not be sure of this.

Postfix can work as a backup server.
If the primary MX server is down, and this server is the secondary,
Postfix will spool all emails for that domain.
It will try at intervals if the primary is up again and
if so forward the backed up emails to it.
This gives you the confidence that fewer emails will be lost.

But the flipside is that you may want people to be notified
if the urgent email they sent has been delayed?
It is a choice you have to make.

To enable back up, of you own domain you dont do anything,
however to enable backup on your server of other's domain emails
append this to Postfix's main.cf

Replace the 1.2.3.4 with your external IP if behind a NAT.
This can be tricky if your IP keep changing.
See Appendix F for tips on how to automate this.
The Queue Lifetime is how many days the server keeps the emails.
Default is 5, however 16 should cover a holiday etc.

For your server to connect directly to the primary server
when it comes online again, you need the transport field.
It contains the SMTP server address, wrapped in :[],
which indicate ignore its mx settings, just use it.

The next step is restricing who can use your server,
to protect it and stop crackers and spammers abusing it.
The basic server does restrict where mails can go and
where they can send them from.
But not much protection beyond that.
This step is important, and should be followed.

Error limits stops spammers trying millions of email addresses
on your server before it gets fobed off. E.g. john@domain.tld,sue@domain.tld.
Recipient Limit will stop spammers CCing 100s of people if they get
to your server.

I initially included reject_rbl_client dnsbl.sorbs.net as well.
However it blocks my ISPs SMTP server (NTL),
which must have been an open relay at some point,
but blocking it would be problematic for me!

In Postfix's master.cf we disabled the chroot jail when setting up this server.
For security sake it is a good idea to reenable this.
However it will be some trial and error to get this working.
One issue is that the MySQL socket is outside this jail.
This can be overcome with using TCP/IP traffic by setting in your mysql .cf files

A webmail is an easy front end to test and to use for all.
It does not replace your normal email client usage,
but it enables quick access from other locations.
It also enables less computer liturate to use email as well.

I have chosen SquirrelMail as my webmail package.
It is not the prettiest, but it is easy to manage and setup.
It is well supported and used, and has many usefull plugins.

Make sure you have the correct Pre Requisites installed.
If you get a DB.php error, then you have not installed
Berkeley DB support that comes with PHP-Pear.

See Appendix A on how to get it, and extract it to your web directory.
It is all PHP and does not need compiling.
Follow the INSTALL direction in its folder,
and then run ./config/conf.pl from the folder.
Change your settings as required.
Dont enable any plug ins at this stage.

There will be no need for data in these tables.
You need to configure your web server to point to SquirrelMail.
Either you have addedd SM as folder inside an existing site,
or you will be using it as a virtual host, so change webserver's
conf ig files if needed.
That should be it. Try it.
Login name is the id in the users table.
A user need to have a mail for the maildirectories to be created before
log in so send the user an email first.

If you have followed my basic-advanced-tighter server setup,
your server now is now fairly well configured.
However only your local network, or perhaps just the mail server
can send emails out via your server.
Anyone else whom tries will get a polite fob off message.

That is okay if everyone can use their local ISP as mail relay.
But not everyone can or want to, and what happens when you are
traveling, and not got access to your normal ISP.
So you need to allow people the ability
to send email via SMTP from anywhere.

But simply allowing access to outside world is dangerous,
and quite likely will be abused.
So we need some way of authenticate the users.

SASL, a way of securely authenticate users,
is an option many uses, but I dont.
The only reason is that I couldnt get it to work.
I may add it to the extensions section later.

Pop-Before-SMTP is my chosen option,
and does not actually involve any specific authentication.
As the name indicates the server records the IP numbers
of people who authenticated okay for Pop or with IMAP.
It stores their IP for a brief moment, and if traffic from that
address request SMTP shortly afterwards, they will be accepted.

Pop-before-SMTP is available as an RPM in Mdk 9.x.
However it did not seem to install the config file,
so I retrieved the latest tar file instead.

When you start receiving emails you will notice
how much of it is junk. And if you run M$ Windows
especially you are vulnarable to computer viruses.
Postfix can be adjusted to check the contents of emails
whether they are valid and what to do about it.

For this you need a content check interface and that is what amavisd-new
is. It is itself built upon amavisd but is now much more mature and
feature rich than the original.

If you are installing this from Mandrake 10.0, be ware MDK ship with
amavisd and amavisd-new, but only amavisd is listed as recommended rpm. As
I prefer amavisd-new, you will have to search for amavisd.

The RPM would do all the automatic steps here, but check that they are
all done.

If you are able to, install from RPM (MDK 10.0) or if you desire obtain
the tar.gz file from the site in Appendix: Software
and extract it. Amavisd-new is Perl based, and dont need compiling,
but do need other modules. If you install from RPMs using e.g. RPMDrake
the dependencies will be automatically installed. Otherwise There should
be INSTALL file to read in the folder. It will contain a list of
modules that you need. They all come with the Mdk CDs so just check if they
exist. They will all be named perl-xxxxxx as they are all Perl
modules. You may do an install like this.

Where as usual you replace the xs with version availble.
perl-MIME-Base64, perl-libnet,
perl-Time-Hires and perl-Digest-MD5
are not RPMs with Mandrake,
as they comes with the standard Perl install,
so it is not required to install seperatly.

Create an user and group to run the daemon.
This will be used for antispan & virus as well,
so make it a good un.
Then create a folder for amavisd-new to use,
and the make it owned by the user created.

SpamAssassin is possibly the most well known spamdetector available.
It can be run as a server or client.
The version I use is easy to install, as it is Perl based.
To install it, run rpmdrake and pick it or do this:

rpm -i perl-Mail-SpamAssassin-x.xx-xmdk

There are furher tools and plugins to choose if you like as well.
It creates a file /etc/mail/spamassassin/local.cf
which can be tweaked when using it on its own.

To edit the options used with Amavisd-new,
open the amavisd.conf file again.
There is a number of settings to tweak,
but the defaults are fine.
Amavisd-new recognises SpamAssassin by default.

Amavisd-new has preconfigured options
for a range of scanners, and particular this option
that you should choose the one(s) you want.
ClamAV, a free open source virus scanner,
was my chosen product.
It has an auto update option, large userbase,
and since it is easy to setup, I am sold.
If you prefer others, free or commercial then
choose the one you trust. McAfee and Norten's
command line scanners work fine with Amavisd-new.

Once again an RPM for ClamAV is available by Mandrake 9.1, however
was failry outdated, as Anti-Virus software moves quicly on. So I prefered
to get the latest MDK RPM of Rpmfind.net. Install the main, the lib
and the latest virus database.

Review

rpm -i clamav-x.xx-xmdk \
libclamav1-x.x-xmdk clamav-db-x.xx-xmdk

The conf file /etc/clamav.conf,
should be okay, but change it neccessary.
Amavisd has support for it to call
the daemon and the command line version of clamd.
I could not get the daemon to work, but the command
line was fine.
Edit amavisd's conf file again and comment
out all other virus scanners at the av_scanner,/i> section,
and then only leave i>ClamAV in the
@av_scanners_backup section.

Secure emails.
Create keys, encrypt, decrypt messages.

SpamCop

Report Spam utility.

User Interface changes.

Basic bland looks of SM isnt the best.
But can be enhanced with design plugins.

Multiple Anti Virus

To further ensure virus safety,
using several virus scanners
could be a good idea.
Amavisd-new certainly supports this
and all you need is to install the scanner,
then uncomment the relevant scanner section
in the amavisd.conf file.

Train SpamAssassin

To enable better spam detection,
you should train Spam Assassin.
It has a bayessian filter which
needs data seeds to improve detection.
Also SA supports using black and white
list for know spam.

Enabling auto update daemon,
protects you against the latest viruses.
Recommended unless you are confident
you will manually do it once a week.
Append this to the root crontab.

clamd

Dazuko & Clamuko

SASL

Secure authentication for sending emails via SMTP.
Trickier to implement and link to MySQL passwords.
But more complete secure smtp solution than
pop-before-smtp.

Relocation

If a user no longer uses the email address,
postfix can send email back that goes to that
sender with a note that addres no longer is in use
and what the new address is.
Handy if people changes it often.

A web based front end to administer the email server.
This simplifies viewing and modifying the email settings.
While this mostly targets the email addresses, domain names etc, and not actual
Postfix settings, some can be extended to enabled those to also
be administered online.

A number of projects already exist which can be used.
A quick search of Source Forge
reveales several such projects. E.g. CourierAdmin,
MyPFXAdmin, myWebHosting etc.
( All phpMyAdmin inspired names...).

But as I am stuborn, I've decided to write my own.
It is not ready for public release yet though,
as it has few features, needs more debugging
and definetly needs someone to do some fluffing over it.

Click here to DownloadPostfixAdmin.
It is simple Java Web Application that I wrote to administer my postfix box.
It is not a WAR file, as you need to tweak the WEB-INF/apes.xml
and the context if needed.

PHP

MySQL Client

You need to a client to create and manipulate the database.
The default command line client is fine.

rpm -i MySQL-client-x.x.xxx-x.xmdk

However a better interface is desirable.
phpMyAdmin is a web interface
that has become a standard for MySQL administration.
Fetch the php tar file from phpmyadmin.sf.net
and install into a web folder.
Then read INSTALL file.

Name: Ivar
Date: 2004-03-06
Subject: Etiquette
I will post comments made by people here. Bux fixes, better tweaks, and
helpfull messages etc. Comments like "You use package A, but package B is
way better, as that is what I use." wont be posted as it is not relevant.
Some of the comments will be parafrased and edited. If you do not want comments
here, then place state so.

Name: James
Date: 2004-05-17
Subject: Postfix Howto
First I would like to say "Thank You!" for the guide you put
up at http://home.eray.biz/sites/postfix/. I have not gotten any of it
work quite yet but am trouble shooting as I go. I did notice a couple
of small things so far, that I wanted to point out: First: In the mysql_gid.cf
file you have select_field=uid and I believe it should read select_field=gid

Second: unless I missed it, we never create the DB for the users table.
This is not a big deal to do however, since your how-to is very step
by step, it may be confusing to some. Honestly I have not moved past
the basic setup yet.

I am having some permission problems (although Fetchmail grabs the mail
alright, the system is unable to create the /var/mail/virtual/foo/bar/
dir.) I am sure that this is a small issue perhaps with the way the APT
packages are set up for Debian vs the RPM's you used in Mandrake. Anyway,
although I have used postfix quite a bit in the past, this is the first
time I have used it with MySQL and Courier. The setup you end up with
is pretty much exactly what I want to eventually have so it will be worth
a bit of troubleshooting.

Thanks again; James

Review

Name: Bob
Date: 2004-06-03
Subject: Email Server Setup

I followed the techrepublic article on email server setup for postfix,
courier-imap and squirrelmail and your article appears to be very similar.
I ran into an issue with squirrelmail preferences not working that I
finally traced to the mysql userprefs table having user set to only 20
characters, while one of my email addresses was slightly longer. This
seems like something that would affect quite a few people. I'd suggest
changing

CREATE TABLE userprefs (
user varchar(20) NOT NULL default '',

to

CREATE TABLE userprefs (
user varchar(128) NOT NULL default '',

to match the id length given in the users table.

The big problem that I have is that I would like to do filtering on the
email as it comes in, but procmail is only used for local users and not
virtual users as we have set up. I see that the users table has
procmailrc as one of the fields, but I don't know how I would use it.
Everything that I find on the internet seems to say that procmail can
not
be used with virtual users. Do you know of a way? Squirrelmail has a
nice plugin called serversidefilters that I would like to use to configure
the user procmailrc, I just haven't figured out how or if it can be done
with virtual users.

Thanks,
Bob

Review

Name: Bob
Date: 2004-06-08
Subject: Email Server Setup

I installed maildrop and it works great with virtual users as well as
with
the serversidefilter plugin in Squirrelmail. Now each user can create
filter rules easily from within Squirrelmail using a simple interface.
I
would strongly suggest going with maildrop when using virtual users over
using procmail if you should ever need per user filtering.

Thanks for the reply and providing a great install document.

Bob

Review

Name: Antti
Date: 2004-06-07
Subject: Postfix

Hi,

Thank's for your great post system install manual!
I have one problem: I cannot login my account. Crypt is problematic.
How it works?
When I try to login, I get error that password is wrong.

I've been following your tutorial on Postfix + Mysql
at http://home.eray.biz/sites/postfix/.

Thank you for taking the time to outline all of these
steps, without your tutorial, I'd be completely lost!

I've got postfix working using the basic
configuration, where is will accept mail to people
listed in the users table in the MySQL database.
However, the creation of mail in the virtual directory
is failing with a permission denied error.

I did a ps, and see that "virtual" is running as the
user "postfix" but the /var/mail/virtual directory is
owned by virtual, as you instructed. I'm wondering
where the virtual account is used, I don't see it in
any of your sample config files.

Click File/New/Account.
Select Email Account and click Next,
Enter you name and email address and click Next,
Select IMAP(Recommended) or Pop and
enter your servername as server and click Next,
Enter as username the full email address you insert into the database,
into both fields and click Next,
Enter an Account name and click Next then Finish.

To wrap things up, you need to set the servers up to
start automatically.
Make sure that in /etc/rc.d/init.d
there are: a postfix, courier-imap,
spamassassin, amavisd,
pop-before-smtp and maybe a clamd.
then check that they are linked from rc3, 5 and 6.
If not do something like this.

Postfix's Maildir type email can be backed up.
Limitation are than only delivered mail can be easily backed up.
The spool files of queued mails are more tricky.
Set up a cronjob to include something like this:

tar -czf mail.tgz /var/spool/mail

I would advice a backup plan for the mysql database as well. Utilise the
mysqldump program and backup your mail database.